Penetration Testing and Network Defense By Andrew Whitaker, Daniel P Newman Publisher: Cisco Press Pub Date: November 04, 2005 ISBN: 1-58705-208-3 Pages: 624 Table of Contents | Index The practical guide to assessing network vulnerabilities andmanaging security risk Assess your network's defensive strengths and eliminatevulnerabilities with proven internal testing methodologies Learn how to perform simulated attacks on live networks Detect network attacks using the Cisco Intrusion DetectionSensor and Security Agent A complete real-world case study shows a step-by-step processfor conducting your own penetration tests Security threats are on the rise, and companies must be preparedto face them One way companies are assessing security risk and thevulnerability of their networks is by hiring security firms toattempt to penetrate their networks or by developing inhousepenetration testing skills to continually monitor networkvulnerabilities Penetration testing is a growing field, yet thereis no definite resource on how to perform a penetration test andthe ethics of testing Penetration Testing and Cisco NetworkDefense offers detailed steps on how to emulate an outsideattacker to assess the security of a network Unlike other books onhacking, this book is specifically geared toward penetrationtesting Divided into two parts, this book provides a set ofguidelines and methodologies for understanding and performinginternal penetration tests It also shows how an attack can bedetected on a network Part one covers understanding penetrationtesting, assessing risks, and creating a testing plan Part twofocuses on the particulars of testing, and each chapter includesthree essential components: the steps to perform a simulated attackusing popular commercial and open-source applications; how todetect the attack with Cisco Intrusion Detection Sensor andSecurity Agent; suggestions on how to harden a system againstattacks Penetration Testing and Network Defense By Andrew Whitaker, Daniel P Newman Publisher: Cisco Press Pub Date: November 04, 2005 ISBN: 1-58705-208-3 Pages: 624 Table of Contents | Index Copyright About the Authors About the Technical Reviewers Acknowledgments Icons Used in This Book Command Syntax Conventions Foreword Introduction Who Should Read this Book Ethical Considerations How This Book Is Organized Part I: Overview of Penetration Testing Chapter 1 Understanding Penetration Testing Defining Penetration Testing Assessing the Need for Penetration Testing Attack Stages Choosing a Penetration Testing Vendor Preparing for the Test Summary Chapter 2 Legal and Ethical Considerations Ethics of Penetration Testing Laws Logging To Fix or Not to Fix Summary Chapter 3 Creating a Test Plan Step-by-Step Plan Open-Source Security Testing Methodology Manual Documentation Summary Part II: Performing the Test Chapter 4 Performing Social Engineering Human Psychology What It Takes to Be a Social Engineer First Impressions and the Social Engineer Tech Support Impersonation Third-Party Impersonation E-Mail Impersonation End User Impersonation Customer Impersonation Reverse Social Engineering Protecting Against Social Engineering Case Study Summary Chapter 5 Performing Host Reconnaissance Passive Host Reconnaissance Active Host Reconnaissance Port Scanning NMap Detecting a Scan Case Study Summary Chapter 6 Understanding and Attempting Session Hijacking Defining Session Hijacking Tools Beware of ACK Storms Kevin Mitnick's Session Hijack Attack Detecting Session Hijacking Protecting Against Session Hijacking Case Study Summary Resources Chapter 7 Performing Web Server Attacks Understanding Web Languages Website Architecture E-Commerce Architecture Web Page Spoofing Cookie Guessing Brute Force Attacks Tools Detecting Web Attacks Protecting Against Web Attacks Case Study Summary Chapter 8 Performing Database Attacks Defining Databases Testing Database Vulnerabilities Securing Your SQL Server Detecting Database Attacks Protecting Against Database Attacks Case Study Summary References and Further Reading Chapter 9 Password Cracking Password Hashing Password-Cracking Tools Detecting Password Cracking Protecting Against Password Cracking Case Study Summary Chapter 10 Attacking the Network Bypassing Firewalls Evading Intruder Detection Systems Testing Routers for Vulnerabilities Testing Switches for Vulnerabilities Securing the Network Case Study Summary Chapter 11 Scanning and Penetrating Wireless Networks History of Wireless Networks Antennas and Access Points Wireless Security Technologies War Driving Tools Detecting Wireless Attacks Case Study Summary Chapter 12 Using Trojans and Backdoor Applications Trojans, Viruses, and Backdoor Applications Common Viruses and Worms Trojans and Backdoors Detecting Trojans and Backdoor Applications Prevention Case Study Summary Chapter 13 Penetrating UNIX, Microsoft, and Novell Servers General Scanners UNIX Permissions and Root Access Microsoft Security Models and Exploits Novell Server Permissions and Vulnerabilities Detecting Server Attacks Preventing Server Attacks Case Study Summary Chapter 14 Understanding and Attempting Buffer Overflows Memory Architecture Buffer Overflow Examples Preventing Buffer Overflows Case Study Summary Chapter 15 Denial-of-Service Attacks Types of DoS Attacks Tools for Executing DoS Attacks Detecting DoS Attacks Preventing DoS Attacks Case Study Summary Chapter 16 Case Study: A Methodical Step-By-Step Penetration Test Case Study: LCN Gets Tested DAWN Security Part III: Appendixes Appendix A Preparing a Security Policy What Is a Security Policy? Risk Assessment Basic Policy Requirements Security Policy Implementation and Review Preparing a Security Policy in Ten Basic Steps Reference Links Appendix B Tools Performing Host Reconnaissance (Chapter 5) Understanding and Attempting Session Hijacking (Chapter 6) Performing Web-Server Attacks (Chapter 7) Performing Database Attacks (Chapter 8) Cracking Passwords (Chapter 9) Attacking the Network (Chapter 10) Scanning and Penetrating Wireless Networks (Chapter 11) Using Trojans and Backdoor Applications (Chapter 12) Penetrating UNIX, Microsoft, and Novell Servers (Chapter 13) Understanding and Attempting Buffer Overflows (Chapter 14) Denial-of-Service Attacks (Chapter 15) Glossary A B C D E F H I JKL M N OP R S T U V W Index Copyright Penetration Testing and Network Defense Andrew Whitaker and Daniel P Newman Copyright© 2006 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing November 2005 Library of Congress Cataloging-in-Publication Number: 2004108262 Warning and Disclaimer This book is designed to provide information about penetration testing and network defense techniques Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied The information is provided on an "as is" basis The authors, Cisco Press, and Cisco Systems, Inc shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community Readers' feedback is a natural continuation of this process If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com Please make sure to include the book title and ISBN in your message Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized Cisco Press or Cisco Systems, Inc cannot attest to the accuracy of this information Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark We greatly appreciate your assistance Publisher John Wait Editor-in-Chief John Kane Cisco Representative Anthony Wolfenden Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Production Manager Patrick Kanouse Senior Development Editor Christopher Cleveland Project Editor Marc Fowler Copy Editor Karen A Gill Technical Editors Steve Kalman, Michael Overstreet Team Coordinator Tammi Barnett Book/Cover Designer Louisa Adair Compositor Mark Shirar Indexer Tim Wright Corporate Headquarters Cisco Systems, Inc STP attacks, hardening against testing for vulnerabilities via ARP attacks via MAC table flooding via STP via VLAN hopping via VTP attacks VLAN hopping VTP attacks, hardening against symptoms of session hijacking SYN floods 2nd SYN scans system log files, detecting password-cracking attacks system stored procedures system tablespace sysxlogins Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] T-Sight T-SQL (Transact-SQL) tablespaces TCP embryonic connections sequence prediction session hijacking TCP Connect() scans TCPView tech support personnel, impersonating technology-based social engineering telecommuters, remote access policy Teleport Pro Telnet sessions, hijacking example temporal response analysis Ten Commandments of Computer Ethics testing RDBMS for vulnerabilities brute force attacks connection strings SQL injection system stored procedures routers for vulnerabilities CDP HTTP service passwords routing protocols switches for vulnerabilities via ARP attacks via MAC table flooding via STP via VLAN hopping via VTP attacks testing reports Appendixes Executive Summary section 2nd Project Scope section Results Analysis section tests black-box tests crystal-box gray-box white-box tests third-party impersonation threats availability threats confidentiality threats integrity threats tiered e-commerce architecture tiger teams time bomb viruses Tini Titanic syndrome TMRC (Tech Model Railroad Club) TOE (target-of-evaluation) tools backdoor applications for attempting buffer overflows for attempting DoS attacks Datapool Hgod Jolt2 for performing database attacks for performing network attacks for performing server penetration for performing web server attacks for wireless network penetration hacking tools, availability of host reconnaissance 2nd password cracking session hijacking vulnerability scanners ISS Nessus NetRecon SAINT SARA traits of social engineers confidence patience possessing inside knowledge trust Trojan applications 2nd 3rd 4th Beast client configuration 2nd gaining access with, case study server settings BO2K plug-ins Brown Orifice detecting Donald Dick 2nd scanner software SubSeven 2nd 3rd trust as social engineer trait trust model TTY Watcher tunneling ICMP tunneling Loki ICMP tunneling two-factor security Type-1 wireless Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] unallocated MAC addresses, detecting on wireless networks unethical practices, free penetration testing UNIX elevation techniques irix-login.c rpc.statd exploit stack smashing exploit password hashing password-cracking utilities, Nutcracker permissions assigning to root user rootkits salts UrlScan USA PATRIOT act USENET newsgroups user accounts, locking out user exec mode user group meetings utilities backdoor applications 2nd CleanIISLog execiis-win32.exe for attempting buffer overflows for attempting DoS attacks for attempting network attacks for server penetration for wireless network penetration fport host reconnaissance 2nd IIS Xploit IntelliTamper NetCat Netstat packet sniffers password-cracking Boson GetPass Hypnopædia John the Ripper L0phtcrack 2nd 3rd Nutcracker Pwdump3 RainbowCrack Snadboy Revelation session hijacking TCPView vulnerability scanners commercial open-source Xprobe2 Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] VBScript vendors of penetration testing, selecting views (MySQL), INFORMATION_SCHEMA viruses 2nd [See also worms] BugBear Chernobyl construction kits Melissa Sasser virus scanner software Visual Route VLAN hopping hardening switches against testing switches for vulnerabilities VTP attacks hardening switches against testing switches for vulnerabilities vulnerabilities of Apache HTTP Web Servers of databases to attack of IIS web servers buffer overflows privilege escalation showcode.asp of RDBMSs, testing vulnerability scanners 2nd commercial ISS Nessus NetRecon open-source SAINT SARA tests performed Whisker attacks, detecting Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] W32.CIH.Spacefiller W32.Slammer worm W32/BugBear virus W32/Klez worm 2nd war dialing war driving war flying war pedaling war sailing war walking web attacks detecting directory traversals, detecting web languages ASP CGI ColdFusion DHTML file extensions HTML Java client-based server-based JavaScript JScript Perl PHP VBScript XHTML XML web pages hidden fields, exploiting spoofing tools for performing web servers Apache applications, securing vulnerabilities attacks on, tools for performing 2nd IIS applications, securing vulnerabilities web-based authentication attacks websites configuring NAT downloading for offline viewing Google.com as hacking tool OECD orphan pages securing sockets WEP (Wired Equivalency Protocol) 2nd WEPCrack wetware Wget Whisker attacks, detecting white-box tests white-hat hackers Whois lookups Windows elevation techniques HK exploit PipeUpAdmin hashing password-cracking utilities, Hypnopædia privilege escalation, example of rootkits wireless networks 802.1x port security access points attacks detecting preventing DoS attacks, detecting DSSS history of IPSec MAC address spoofing, detecting MAC filtering penetration testing tools AiroPeek NX AirSnort DStumbler GPSMAP Kismet NetStumbler StumbVerter WEPCrack rogue APs, detecting security case study SSIDs standards, enforcing Type-1 unallocated MAC addresses, detecting war driving WEP witness consultants as social engineering coaches WLANs (wireless LANs) worms 2nd Blaster "I Love You," MyDoom Sasser W32/Klex Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] XHTML Xmas-Tree scans XML Xprobe2 Index [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Z] zero-day exploits zones ... Overview of Penetration Testing Chapter 1 Understanding Penetration Testing Defining Penetration Testing Assessing the Need for Penetration Testing Attack Stages Choosing a Penetration Testing Vendor...Sensor andSecurity Agent; suggestions on how to harden a system againstattacks Penetration Testing and Network Defense By Andrew Whitaker, Daniel P Newman Publisher: Cisco Press Pub Date: November 04, 2005. .. T U V W Index Copyright Penetration Testing and Network Defense Andrew Whitaker and Daniel P Newman Copyright© 2006 Cisco Systems, Inc Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA